How To Stop Cyberattacks: Diplomacy. Well, Maybe.

If you attended today’s still-unfolding big cybersecurity confab in Washington, sponsored by the Armed Forces Communications & Electronics Association, you heard a parade of military officers and Obama administration officials say — well, not a whole lot.

It’s hard to defend against a cyberattack… Everyone — civilian and military, public and private sector — needs to work together and pool resources and information… Incentivize cooperation… The supply chain is vulnerable… U.S. Cyber Command is developing integrated planning and operational frameworks…

And then there was Bruce Held.

Heldis the Department of Energy’s intelligence chief and he said he spoke from the perspective of a longtime intel hand. His answer to the cybersecurity problem: diplomacy.

Well, sort of. For Held, it’s a probability issue. “A static cyber defense can never win against an agile cyber offense,” he told a panel this morning discussing the prevention of catastrophic cyberattacks. “You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1000 times, and we will beat you.” If you want to protect the nation’s electricity grid, beefing up security for it — physical security, cybersecurity, etc. — quickly becomes prohibitively expensive. “You need a protection strategy,” he said, and that means you have to change the game.

How? For starters, don’t compartmentalize cybersecurity as a job for the military’s new U.S. Cyber Command or the guardians of civilian networks at the Department of Homeland Security. Treat cybersecurity as component of a broad national defense strategy, rather than a techie-driven deviation from it. Unleash the diplomats and prepare the economic sanctions packages, in other words, if you want to prevent your servers from getting fried.

To take it a step further: it’s about making an adversarial foreign power reconsider launching an attack. “If you wish to influence my behavior, you have to impose risks and consequences on me,” Held continued. “It does not have to be perfect. You just have to impact my behavior.” Someone’s been playing Diplomacy.

Can you spot the presumptions behind Held’s contention? Sure you can. One: we’ll be able to attribute attacks to specific state actors. Well, will we? You can launch a cyber attack from proxy servers in third countries to conceal your identity. Brigadier General John Davis, the director of current operations for Cyber Command, said forthrightly during the same panel discussion that his “number-one challenge” was developing “situational awareness” of the cyberthreats that the U.S. faces.

As an intel guy, Held said he thought the “cyber people tend to make it impossible” to figure out who’s going after your networks. “You don’t need the specific computer it’s coming from. You need to know what country it’s coming from.” But what about those third-country servers?

Two: big cyberattacks are instruments of state power. Bands of hackers and cybercrooks aren’t diplomatic problems. They’re law enforcement problems. So Held at least implicitly reserved his remarks for something like a hypothetical bot attack that took out tens of millions of cellphone subscribers and then followed up with a strike on part of the nation’s electricity grid. That’s a nightmare scenario dreamed up by the Bipartisan Policy Center, an inoffensive Washington think tank earlier this year, for a kind of breathless dramatization of the threat, called Cyber Shockwave. Take a look:

Something like that is unlikely to be “just a hacker,” Held said. “It’s close to a very unfriendly act. Some might say an act of cyber war.”

General Davis indicated that Cyber Command is on a similar wavelength. One of the challenges for the new command is to “wipe some of the routine threats off the radar,” he said, thereby allowing “the intelligence community to focus on the sophisticated threats.” Whoa, say what? Does that mean that the new military command co-located within the National Security Agency is going to leave the most challenging cyber-defense — and offense – tasks to the spooks?

Davis later clarified to Danger Room that he meant that the command wanted to “put the basic cyber standards in place” across users of the military’s networks (you know, the sites ending in .mil) so the command wouldn’t waste time responding to phishing efforts. “Don’t click on unknown or malicious software,” Davis said. “Basic blocking and tackling.” CYBERCOM: your military tech support. Unfortunately, I wasn’t able to draw Davis out on what he meant by leaving the intel folks to focus on the “sophisticated threats.” Cybercom remains something of a military/intelligence cipher text.

Held, though, capped his point with an analogy. “We never secured New York City from a Soviet nuclear attack,” he observed, “but we protected it very well through the use of broader national deterrent powers.” In other words: Get ready for a Cyber Cold War.